diff --git a/mozilla/content/base/src/nsFrameLoader.cpp b/mozilla/content/base/src/nsFrameLoader.cpp index d7fb93beaab..530197a6429 100644 --- a/mozilla/content/base/src/nsFrameLoader.cpp +++ b/mozilla/content/base/src/nsFrameLoader.cpp @@ -160,27 +160,16 @@ nsFrameLoader::LoadFrame() rv = secMan->GetSystemPrincipal(getter_AddRefs(sysPrin)); NS_ENSURE_SUCCESS(rv, rv); - if (principal == sysPrin) { - // We're a chrome node. Belt and braces -- inherit the principal for this - // load instead of just forcing the system principal. That way if we have - // something loaded already the principal used will be that of what we - // already have loaded. - - // XXX bz I'd love to nix this, but the problem is chrome calling - // setAttribute() on an iframe or browser and passing in a javascript: URI. - // We probably don't want to run that with chrome privileges... Though in - // similar circumstances, if one sets window.location.href from chrome we - // _do_ run that with chrome privileges, so maybe we should do the same - // here? - loadInfo->SetInheritOwner(PR_TRUE); - - // Also, in this case we don't set a referrer, just in case. - } else { - // We'll use our principal, not that of the document loaded inside us. - // This is very important; needed to prevent XSS attacks on documents - // loaded in subframes! - loadInfo->SetOwner(principal); + // We'll use our principal, not that of the document loaded inside us. + // This is very important; needed to prevent XSS attacks on documents + // loaded in subframes! Note that if |principal == sysPrin| the + // situation is handled by nsDocShell::LoadURI. + loadInfo->SetOwner(principal); + // Don't set referrer if we're the system principal. + // XXXbz not like it matters -- the URI of the system principal is + // null on branch... + if (principal != sysPrin) { nsCOMPtr referrer; rv = principal->GetURI(getter_AddRefs(referrer)); NS_ENSURE_SUCCESS(rv, rv); diff --git a/mozilla/docshell/base/nsDocShell.cpp b/mozilla/docshell/base/nsDocShell.cpp index 8f62fcad322..fb0fe5b230d 100644 --- a/mozilla/docshell/base/nsDocShell.cpp +++ b/mozilla/docshell/base/nsDocShell.cpp @@ -771,31 +771,42 @@ nsDocShell::LoadURI(nsIURI * aURI, } // Perform the load... else { - // We need an owner (a referring principal). 3 possibilities: - // (1) If a principal was passed in, that's what we'll use. - // (2) If the caller has allowed inheriting from the current document, - // or if we're being called from chrome (if there's system JS on the stack), - // then inheritOwner should be true and InternalLoad will get an owner - // from the current document. If none of these things are true, then - // (3) we pass a null owner into the channel, and an owner will be - // created later from the URL. - if (!owner && !inheritOwner) { - // See if there's system or chrome JS code running - nsCOMPtr secMan; + // We need an owner (a referring principal). 4 possibilities: + // (1) If the system principal was passed in and we're a typeContent + // docshell, inherit the principal from the current document + // instead. + // (2) In all other cases when the principal passed in is not null, + // use that principal. + // (3) If the caller has allowed inheriting from the current + // document, or if we're being called from chrome (if there's + // system JS on the stack), then inheritOwner should be true and + // InternalLoad will get an owner from the current document. If + // none of these things are true, then + // (4) we pass a null owner into the channel, and an owner will be + // created later from the channel's internal data. + nsCOMPtr secMan = + do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv); + NS_ENSURE_SUCCESS(rv, rv); - secMan = do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv); + // Just to compare, not to use! + nsCOMPtr sysPrin; + rv = secMan->GetSystemPrincipal(getter_AddRefs(sysPrin)); + NS_ENSURE_SUCCESS(rv, rv); + + if (owner == sysPrin && mItemType != typeChrome) { + owner = nsnull; + inheritOwner = PR_TRUE; + } + else if (!owner && !inheritOwner) { + // See if there's system or chrome JS code running if (NS_SUCCEEDED(rv)) { - nsCOMPtr sysPrin; nsCOMPtr subjectPrin; - // Just to compare, not to use! - rv = secMan->GetSystemPrincipal(getter_AddRefs(sysPrin)); - if (NS_SUCCEEDED(rv)) { - rv = secMan->GetSubjectPrincipal(getter_AddRefs(subjectPrin)); - } - // If there's no subject principal, there's no JS running, so we're in system code. + rv = secMan->GetSubjectPrincipal(getter_AddRefs(subjectPrin)); + // If there's no subject principal, there's no JS running, so + // we're in system code. if (NS_SUCCEEDED(rv) && - (!subjectPrin || sysPrin.get() == subjectPrin.get())) { + (!subjectPrin || sysPrin == subjectPrin)) { inheritOwner = PR_TRUE; } } diff --git a/mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp b/mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp index fd438eabc3d..3969661e811 100644 --- a/mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp +++ b/mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp @@ -886,6 +886,17 @@ nsWindowWatcher::OpenWindowJSInternal(nsIDOMWindow *aParent, } } + nsCOMPtr systemPrincipal; + sm->GetSystemPrincipal(getter_AddRefs(systemPrincipal)); + if (newWindowPrincipal == systemPrincipal) { + // Don't pass this principal along to content windows + PRInt32 itemType; + rv = newDocShellItem->GetItemType(&itemType); + if (NS_FAILED(rv) || itemType != nsIDocShellTreeItem::typeChrome) { + newWindowPrincipal = nsnull; + } + } + nsCOMPtr newWindow = do_QueryInterface(*_retval); #ifdef DEBUG